Skip to content

Commit 9853306

Browse files
authored
Add QRadar migration script (#14015)
* Add QRadar migration script * PR review updates * PR review updates * add download button * fix path * Revert "fix path" This reverts commit c387dfd. * Revert "add download button" This reverts commit 868be60. --------- Co-authored-by: kingwil <kingwil@users.noreply.github.com>
1 parent 89a09ec commit 9853306

2 files changed

Lines changed: 6501 additions & 0 deletions

File tree

Tools/QRadarMigration/README.md

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
# Microsoft Sentinel - QRadar Migration Data Collector
2+
3+
**Version: 0.3.2**
4+
5+
## Overview
6+
7+
The QRadar Migration Data Collector extracts custom detection rules and building blocks from IBM QRadar SIEM and converts them into a migration-ready format for Microsoft Sentinel.
8+
9+
## Prerequisites
10+
11+
- **Python 3** (latest stable release recommended; minimum 3.6)
12+
- **QRadar authorized service token** with Admin privileges. [See QRadar documentation]
13+
- **curl** (only required when using `--use-curl` on Python 2.7.5–2.7.8)
14+
15+
> **Python 2.7 note:** Python 2.7 is end-of-life and no longer receives security patches. The script supports Python 2.7.5+ only for running directly on older QRadar consoles where Python 3 is not available. If possible, run the script from a separate host with Python 3 instead.
16+
17+
## Getting Started
18+
19+
1. Create an Authorized Token in the QRadar UI. [See the documenation for more information](https://www.ibm.com/docs/qradar-common?topic=configuration-creating-authorized-service-token).
20+
2. Copy the token for use when running the script
21+
<div style="page-break-before: always;"></div>
22+
23+
## Usage Example
24+
25+
```bash
26+
python3 qradar_collector.py --host 10.1.0.10
27+
```
28+
29+
The script will prompt for your API token securely (input is hidden).
30+
31+
This will create a CSV file named `qradar_rules_YYYYMMDDHHMMSS.csv` containing rules with calculated migration columns.
32+
33+
## Command-Line Options
34+
35+
| Option | Description |
36+
|--------|-------------|
37+
| `-h`, `--help` | Show help message and exit |
38+
| `--host HOST` | QRadar console hostname or IP |
39+
| `--api-version API_VERSION` | QRadar API version (default: latest) |
40+
| `--skip-ssl-verify` | Disable SSL certificate verification for self-signed certificates. See warning below. |
41+
| `--use-curl` | Use curl for HTTP calls (required on Python 2.7.5–2.7.8) |
42+
| `--output-dir OUTPUT_DIR` | Directory for final CSV output files (default: current directory) |
43+
| `--cache-dir PATH` | Path to previously collected data for offline replay (read-only) |
44+
| `--log-sources` | Generate standalone active log sources inventory CSV |
45+
| `--active-days DAYS` | Days of inactivity before a log source is excluded (default: 7) |
46+
| `--debug` | Retain workspace folder and log file on exit |
47+
| `--batch-size SIZE` | Batch size for paginated API calls (default: auto-detected) |
48+
49+
> [!WARNING]
50+
> `--skip-ssl-verify` disables TLS certificate validation. This removes server identity verification and can allow QRadar impersonation, API token interception, and response tampering by a malicious proxy or other on-path attacker. Use only on a trusted management network and trusted QRadar host.
51+
52+
## Running Locally on QRadar Console
53+
54+
Older QRadar appliances typically have Python 2.7.5 installed, which lacks native TLS 1.2 support in the `ssl` module. Use the `--use-curl` flag to work around this limitation. Some QRadar consoles also use self-signed certificates, which is why `--skip-ssl-verify` is shown below:
55+
56+
```bash
57+
python qradar_collector.py --host localhost --use-curl --skip-ssl-verify
58+
```

0 commit comments

Comments
 (0)